MS Windows Event Logging XML - Application
Device Details
| Device Name | MS Windows Event Logging XML - Application |
|---|---|
Vendor | Microsoft |
Device Type | N/A |
Supported Model Name/Number | N/A |
Supported Software Version(s) | N/A |
Collection Method | MS Windows Event Logging |
Configurable Log Output? | No |
Log Source Type | N/A |
Log Processing Policy | LogRhythm Default |
Exceptions | N/A |
Additional Information | https://docs.microsoft.com/en-us/windows/win32/msi/event-logging |
Supported Log Messages
(List of LR Tags used to parse the log information for each message type)
Type | Product Version | Supported Schema Fields |
|---|---|---|
| Catch All : Application Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname>, <object> |
| Catch All : Crypto API Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <session>,<object>, <hash> |
| Catch All : ESENT Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname>,<process>,<processid> |
| Catch All : Level 2 2 | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>, <session> |
| Catch All : Level 3 | N/A | <process>, <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <object>, <sip> |
| Catch All : MsiInstaller Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid> |
| Catch All : MSSQLSERVER Messages | N/A | <vmid>, <vendorinfo>, <severity>, <sip>, <sname>, <dname>, <login>, <domainorigin>, <command>, <action>, <reason>, <tag1>, <tag2> |
| Catch All : Outlook Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname>, <object> |
| Catch All : Service Optimization | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <session>, <process>, <processid>, <status> |
| Catch All : SQLVDI Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname> |
| Catch All : SQLWRITER Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname> |
| Catch All - Symantec AntiVirus | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <object>, <objectname>, <objecttype>, <command>, <parentprocesspath> |
| Catch All : System Restore Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname>, <session>, <processid>, <command>, <action> |
| Catch All : Trend Micro OfficeScan Server | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<session>, <process>, <processid>, <subject> |
| Catch All : VSS Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname> |
| Catch All : Windows Error Reporting Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <subject>, <object> |
| Catch All : WSUS Messages | N/A | <vmid>, <vendorinfo>, <severity>, <dname> |
| Certificate Services Client : Cert Enrollment | N/A | <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <group>, <object> |
| EVID 1 : CVE Messages | N/A | <vmid>, <severity>, <dname>, <account>, <processid>, <object>, <cve>, <tag1> |
| EVID 3 : System Service Model Exception | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>,<processid>,<subject>, <object> |
| EVID 1000 : Application Fault | N/A | <vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object> |
| EVID 1002 : Application Hang | N/A | <vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version>,<object> |
| EVID 1008 : Microsoft-Windows-Perflib | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<object>, <objectname>, <threatid>, <bytesin> |
| EVID 1026 : Net Process Terminated Unhandled Excp | N/A | <vendorinfo>, <vmid>, <severity>, <dname>,<process>,<version> |
| EVID 1040 & 1042 : MsiInstaller | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <object>, <process>, <processid> |
| EVID 1309 : ASP.NET Request Aborted | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domainorigin>, <login>, <process>, <processid>, <object>, <tag1> |
| EVID 1530 : Registry Key Still In Use | N/A | <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <domain>, <login>, <quantity>, <process>, <object> |
| EVID 2004 : Microsoft-Windows-PerfNet | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <processid>, <version>,<threatid> |
| EVID 4609 : COM+ Event System Bad Return Code | N/A | <vendorinfo>, <vmid>, <severity>, <processid>, <session>, <dname>, <object>, <objectname>, <subject> |
| EVID 5605 : Microsoft-Windows-WMI | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <login>, <domainorigin>,<processid>, <version> |
| EVID 33205 : SQL Audit Event | N/A | <vendorinfo>, <vmid>, <severity>, <sname>, <quantity>, <tag1>, <result>,<sessiontype>, <session>, <tag2>, <login>, <tag3>, <account>, <dname>,<object>, <group>, <objectname> |
| LogRhythm Diagnostics | N/A | <vmid>, <sip>, <sport>, <dname>, <object>, <objectname>, <rate>, <tag1>,<tag2>, <tag3> |
| LogRhythm KB Admin Service | N/A | <vendorinfo>, <vmid>, <severity>, <dname>,<object>, <objectname> |
| MailMarshal Messages | N/A | <vendorinfo>, <vmid>, <severity>, <sname>, <dname>, <session>, <object>,<subject>, <version> |
| MsiInstaller : Installer Close Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <subject>, <object> |
| MsiInstaller Messages 1 | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <domain>, <login>, <process>, <version> |
| MS Windows Log Messages | N/A | <vendorinfo>, <vmid>, <severity>, <dname>, <session>, <process>, <processid>, <object>, <objectname>, <subject>, <version>, <useragent> |
Revision History
KB Version | Log Type | Change Type | Details |
|---|---|---|---|
| KB 7.1.598.0 | N/A | Parsing Improvement and Documentation | N/A |